Using AWS IAM Roles from the CLI

AWS Identity and Access Management (IAM)

Most people who have used the AWS Command Line Interface (CLI) for more than a few minutes are familiar with the aws configuration command and its ability to save AWS IAM access keys and secret access keys. These are available for AWS IAM users, but most people aren’t aware that they could be using AWS IAM Roles from the CLI.

Using AWS IAM Roles from the CLI

So there’s a couple of caveats to using AWS Identity and Access Management (IAM) Roles from the CLI.

First, there must already be a profile in the credentials file which has the permission to assume the role. The CLI will actually connect with that profile and then transparently assume to the required role.

Second, it isn’t possible to use aws configure to setup the use of AWS Identity and Access Management (IAM) Roles from the CLI. You’ll need to hand edit the ~/.aws/credentials file to make the necessary modifications.

The actual changes required aren’t complex. The following example shows a credentials file with two different profiles. The first profile is called “source” (lines 1 to 3). It is the profile in the credentials file which has the permission to assume the role. This profile consists of the typical aws_access_key_id and aws_secret_access_key entries generated by the AWS Identity and Access Management (IAM) service. The second profile is called “destination” (lines 5 to 7).  It provides the details of the initial profile to use and the role to assume. The line “source_profile” tells the AWS CLI to use the “source” profile to connect to AWS. The line “role_arn” tells the AWS CLI to assume the role OrganizationAccountAccessRole in account 123456789012.

It is easy to switch between the source and the destination profiles when using the AWS CLI. The standard “–profile” command line option selects the specified profile:

This can be really useful when using the AWS CLI. It takes several operations when using the API to connect to the AWS Secure Token Service (STS) and assume another role, but this technique really streamlines things when using AWS IAM Roles from the CLI!

Share

Add Comment

Required fields are marked *. Your email address will not be published.